Security of two quantum cryptography protocols using the same four qubit states 
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The first quantum cryptography protocol, proposed by Bennett and Brassard in 1984 (BB84), 
has been widely studied in the last years. This protocol uses four states (more precisely, two 
complementary bases) for the encoding of the classical bit. Recently, it has been noticed that by 
using the same four states, but a different encoding of information, one can define a new protocol 
which is more robust in practical implementations, specifically when attenuated laser pulses are used 
instead of single-photon sources [V. Scarani et al., Phys. Rev. Lett. 92, 057901 (2004); referred to 
as SARG04]. We present a detailed study of SARG04 in two different regimes. In the first part, 
we consider an implementation with a single-photon source: we derive bounds on the error rate 
Q for security against all possible attacks by the eavesdropper. The lower and the upper bound 
obtained for SARG04 (Q < 10.95% and Q •> 14.9% respectively) are close to those obtained for 
BB84 (Q < 12.4% and Q > 14.6% respectively). In the second part, we consider the realistic source 
consisting of an attenuated laser and improve on previous analysis by allowing Alice to optimize the 
mean number of photons as a function of the distance. SARG04 is found to perform better than 
BB84, both in secret key rate and in maximal achievable distance, for a wide class of Eve's attacks. 



I. INTRODUCTION 



Quantum cryptography [1], or quantum key distribu- 
tion (QKD), is the most mature field in quantum in- 
formation, both in theoretical and in experimental ad- 
vances. From the very beginning of quantum informa- 
tion, it was clear that QKD should be secure because of 
the no-cloning theorem, and also that it should be im- 
plementable with available technology. However, both 
rigorous proofs of security and truly practical implemen- 
tations turned out to be serious challenges: one had to 
start from the situations which are easiest to handle. But 
what is " easy" for a theorist (small number of parame- 
ters, idealized components) is not what is "easy" for an 
experimentalist (practical, real components). Thence, 
research in QKD mostly split into two fields: proving 
security in theoretically idealized situations on the one 
hand, and realizing practical prototypes on the other. 
Important advances have been made in both direction; at 
present, while many open problems remain in both fields, 
an urgent task consists in bringing theory and applica- 
tion together again. Indeed, the theoretical tools have 
recently been applied to study the security of practical 
implementations [2]. This paper aims at the same goal, 
on a different protocol and with a different approach. 

In any implementation of QKD, there is a large num- 
ber of components which do not behave according to the 
simplest theoretical model. Such is the source: QKD pro- 
tocols based on photon counting are most easily studied 
by assuming that a single-photon source or a source of 
entangled photons is used; but by far the most practical 
source is an attenuated laser [3]. This practical imple- 
mentation can lead to secure QKD: the analysis of the 
security parameters, while more complex than in the case 
of single photons, is definitely important. A drawback 
of the practical implementation was noticed by some au- 



thors [4] and explicitly stated in 2000 by Liitkcnhaus and 
co-workers [5] : weak laser pulses contain sometimes more 
than one photon; thus, if losses are expected in the quan- 
tum channel (as they always are) , the eavesdropper, Eve, 
may take advantage of the multi-photon pulses by keep- 
ing some photons without introducing errors on those 
that she lets pass. These attacks are known as photon- 
number- splitting (PNS) attacks. Since then, several ways 
have been found to counter PNS attacks. An especially 
strong protection is obtained by introducing decoy states 
[6]; this requires some modification of the experimental 
devices. The idea behind the SARG04 protocol [7,8] is 
different and complementary: one can keep the hardware 
exactly as it is, but modify the classical communication 
between Alice and Bob (the so-called "sifting phase"). 
Note that one can implement both the sifting of SARG04 
and a monitoring using decoy states: this is the protocol 
for which Tamaki and Lo have proved security for onc- 
and two-photon pulses [9] . 

The goal of this paper is to improve the comparison 
between SARG04 and the original protocol of quantum 
cryptography which uses four states, the one devised by 
Bennett and Brassard in 1984, shortened as BB84 [10]. 
The structure of the paper is as follows: 

• The protocol. In Section II, we recall the basics of 
the SARG04 protocol and present its entanglement- 
based version. 

• Single-photon implementation. This is the content 
of Section III. We compute a lower bound for se- 
curity against all possible attacks of the eavesdrop- 
per (in particular, the most general coherent at- 
tacks) under one-way classical processing by Alice 
and Bob — a study usually called "unconditional 
security". The bound we obtain is Q < 10.95% 
where Q is the quantum bit error rate (QBER). 
This bound is Q < 12.4% for the BB84 protocol 
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[11,12]. An upper bound for security can also be 
computed by giving an explicit attack by Eve. We 
identify an incoherent attack which performs better 
than the one which uses the phase-covariant cloning 
machine [13]. SARG04 is found to be certainly in- 
secure in a single-photon implementation as soon 
as Q > 14.9%, the corresponding upper bounds for 
BB84 being Q > 14.64%. 

Thus, the lower and upper bounds for security un- 
der one-way classical postprocessing are similar for 
both protocols. However, suppose that the channel 
Alice-Bob is a depolarizing channel, as is the case 
in all experiments performed to date: 

E[\iJ>)] =F|^| +D\^){^\ (1) 

where F + D = 1. The channel is then charac- 
terized by the disturbance D, or equivalcntly, by 
the visibility V of the fringes one can observe in an 
intcrferometric setup defined by 



Now, the link between the QBER and the visibility 
is different for the two protocols: V = 1 — 2Q for 
BB84, while V = for SARG04. The compar- 

ison of the bound for the visibility is unfavorable 
for SARG04. 

• Attenuated laser pulses (Poissonian source), im- 
perfect detectors. In Section IV, we consider the 
more realistic situation for which SARG04 was de- 
vised. Alice's source is an attenuated laser, pro- 
ducing weak pulses, that is, pulses with a mean 
number of photons [i % 1. A first comparison be- 
tween SARG04 and BB84 in this implementation 
can be found in the original references [7,8]. Here 
we improve significantly on this analysis, although 
the study of ultimate security is still beyond reach. 
Anyway, for a broad class of incoherent attacks by 
Eve including various forms of PNS [14], we can 
compute the optimal secret key rate by optimiz- 
ing over the mean number of photons /i describing 
the Poissonian statistics. We work in the trusted- 
device scenario: Eve cannot take advantage of the 
limited efficiency or of the dark counts of Bob's de- 
tectors. 

We find that the optimal mean number of photon 
goes as /j, pt ~ 1\fi as a function of the transmission 
t of the quantum channel, while the much smaller 
value fi opt ~ t holds for BB84 under identical con- 
ditions [15]. As a consequence, the secret key rate 
(proportional to the detection rate /it) decreases as 
< 3 / 2 instead of the faster t 2 decrease of BB84. The 
limiting distance is also increased in SARG04 with 
respect to BB84, approximately by 10km using typ- 
ical values of the parameters of the detector and the 



channel. Thus, SARG04 compares favorably with 
BB84 in practical implementations for this class of 
attacks. 

The conclusions of both Sections III and IV strongly 
suggest that the same quantum correlations can be ex- 
ploited differently according to the physical realization, 
by adapting the classical encoding and decoding proce- 
dures. 



II. SARG04 

A. SARG04: prepare-and-measure version 

The SARG04 was introduced in Ref. [7] in a prepare- 
and-measure version. At the level of quantum processing, 
it is exactly equivalent to BB84. Alice prepares one of 
the four states belonging to two conjugated bases, e.g. 
\+z) = |0>, \-z) ee |1>, \+x) = ^(|0) + |1» and 

| — x) = ^7|(|0) — |1)). She sends the state to Bob, who 
measures either a z or a x . The difference with BB84 ap- 
pears in the encoding and decoding of classical informa- 
tion. The classical bit is encoded in the basis: | + z) and 
| — z) code for "0", | + x) and | — x) code for "1". Since 
each basis codes for a bit, it is natural in SARG04 to ad- 
mit that the two bases are chosen randomly with equal 
probability [16]. 

In the sifting phase, Alice does not reveal the ba- 
sis (this would reveal the bit): she discloses the state 
she has sent and one of the states which code for the 
other value of the bit, which are not orthogonal to the 
first one. There are thus a priori four sifting sets: 
S++ = {\ + z), | + x)}, S—={\-z),\- x)}, S+_ = 
{| + z), | — x)} and 5_ + = {| — z), \ + x)}. For definite- 
ness, suppose \sent) = | + z) and \declared) = |+a;): 
Bob guesses correctly the bit if he measured a x and found 
\right) = \ — x); he guesses wrongly the bit if he mea- 
sured a z and found \wrong) = \ — z). As usual, an error 
can only happen if the state has been modified by an 
eavesdropper, or in the presence of dark counts. In the 
absence of errors, the length of the sifted key is \ of the 
length of the raw key; in the presence of an error rate Q, 
this length increases. 

This encoding is better to protect secrecy against in- 
coherent PNS attacks when the source is not a single- 
photon source. In fact, suppose that a pulse contained 
two photons and Eve has kept one of them in a quantum 
memory. In BB84, by listening to the sifting, Eve learns 
the basis: she can measure the photon she has kept and 
learn the bit with certainty. In SARG04, in the sifting 
Eve learns that the state is either of two non-orthogonal 
states: she cannot learn the bit with certainty. In or- 
der to learn the bit with certainty without introducing 
errors, Eve has to implement an unambiguous state dis- 
crimination on the three-photon pulses, which succeeds 
with probability \. This suggests that SARG04 should 



2 



be more robust than BB84 against incoherent PNS at- 
tacks. In Refs [7,8] it was shown that this intuitive rea- 
soning is correct and gives a real advantage over BB84; 
we shall confirm this conclusion with a significantly im- 
proved analysis in Section IV. 

B. SARG04: entanglement-based version 

In order to determine a lower bound on the secret key 
rate we will consider the equivalent entanglement-based 
version of the SARG04 protocol [17,9]. To this end we 
define the encoding operators 

A <ru = \0)(az\ + \l)(wx\ (3) 

where a, u) = ±1. Instead of preparing a state and send- 
ing the qubit to Bob, Alice prepares randomly one of the 
states 

A au ®t\*+) = ±(\0)\vz) + \l)\wx)) (4) 

and sends the second qubit to Bob. Measuring Alice's 
qubit then in the computational basis {|0), |1)} prepares 
Bob's qubit in one of the four states used by the proto- 
col. In order to decode the information sent by Alice, 
Bob applies one of the four operators 

B^ = ^=[a\0)(-ux\+u\l)(-az\]. (5) 

After that, Bob measures his qubit in the computational 
basis. 

Let us show that this description is indeed equivalent 
to the prepare-and-measure protocol described above. 
The preparation by Alice is equivalent since a measure- 
ment in the z-basis performed on the first qubit described 
by one of the states A auJ ® 1|<I> + ) leads with equal proba- 
bility to one of the states \az), \ux). On the other hand, 
Bob's measurement is 

BlJQ){Q\B au = \\-u>x){-u>x\ ( . 
BL|1><1|£™ = \\-az){-az\ W 

where a, lo — ±. Thus, his measurement corresponds to 
measuring his qubit either in the z, or x-basis [18]. 

We dispose now of all the tools to tackle the security 
studies on the SARG04 protocol. As announced, we con- 
sider first the case of single-photon sources and will tackle 
the more realistic case of attenuated lasers in Section IV. 



III. SINGLE-PHOTON SOURCES 

A. Generalities: the scenario for security proofs 

In this section we investigate the security of the 
SARG04 protocol, assuming that Alice is sending out sin- 
gle photons encoding the bit values. First of all, we com- 
pute a lower bound on the secret key rate using the results 



presented in [11,12]. Then we compare those bounds to 
the bounds derived with proofs based on entanglement 
distillation [9] . After that we determine an upper bound 
on the secret key rate for the SARG04 protocol. To this 
aim we explicitly construct an attack by Eve. This attack 
is incoherent, i.e. acting on each qubit individually and 
measuring each qubit right after the basis reconciliation. 

B. Lower bound on the secret key rate 

1 . Review of the approach 

Let us start by summarizing the results presented in 
[11,12], where a computable lower bound on the secret 
key rate for a general class of QKD protocols using one- 
way classical post-processing has been derived. We use 
the entanglement-based description of the protocol. Al- 
ice prepares n qubit-pairs at random in one of the states 
defined in Eq. (4) and sends the second qubit of each pair 
to Bob. Eve might now apply the most general attack 
on all the qubits sent to Bob. Bob applies at random 
one of the operators defined in Eq. (5) on the qubits 
he received. After that Alice and Bob symmetrize their 
qubit pairs by applying a random permutation on them. 
On the other hand, Alice and Bob randomly choose for 
each qubit pair to apply the bit flip operation (a x ® a x ). 
Both of those transformations commute with their mea- 
surement in the z-basis. It has been shown in [11] that 
after randomly applying these transformation the form 
of the state describing Alice's and Bob's system is Bell- 
diagonal, independently of the protocol. Its eigenbasis 
is given by {|$+>® ni \<$>~f n2 \V+f n3 1*-)®" 4 }, where 
ni+n2+n3+ri4 = n and the states l^*), |^ ) denote the 
Bellbasis. Apart from that the state is symmetric with 
respect to exchanging the different qubit-pairs. The only 
free parameters are the eigenvalues of the density oper- 
ator. Those depend on the distribution of the quantum 
information, i.e. on the QKD protocol. It is important to 
note that when assuming that Eve has a purification of 
this state, i.e pabe = abe^\> f° r some state l^)^^, 
then her power is never underestimated. It has then be 
shown in [11,12] that a lower bound on the secret key 
rate can then be determined considering only two-qubit 
density operators. In particular, for a given QBER, Q, 
a lower bound on the secret key rate (assuming that Al- 
ice and Bob apply optimal error correction and privacy 
amplification) is given by 

r > n = sup inf R(ct a >be) (7) 

with 

R{ua>be) = [S{<t a >e) - S{a E )] - H{A'\B) . (8) 

Here, S (H) denotes the von Neumann (Shannon) en- 
tropy respectively. It is important to take some space to 
describe these objects in detail. 
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• The first apparent thing is that Alice does some- 
thing to her bit string A which transforms them to 
A'. This is called preprocessing. It is a classical 
operation, known only to her (just note that in the 
original formula, Eq. (2) in [11], there appears also 
the possibility, noted V there, that Alice discloses 
something of her preprocessing publicly: neglect- 
ing this possibility here, we can nevertheless obtain 
a lower bound). We consider here that Alice ap- 
plies this preprocessing to each bit value indepen- 
dently. Thus, she can only flip her bit values with 
a certain probability. Note that this transforma- 
tion reduces the information Bob has about Alice's 
bit string, but it turns out that it penalizes Eve 
more than Bob, which implies that this preprocess- 
ing increases the secret key rate. Obviously, Alice 
will choose the preprocessing which maximizes the 
rate, whence the "supremum" in (7). 

• The set Tq can be assumed to contain only two- 
qubit Bell-diagonal density operators which arc 
compatible with the measured QBER Q. In or- 
der to be more precise we have to introduce 
the following notation. We denote by p n = 
tr E [£(|$ + ) AB ($+| ® |0) E (0|)], where £ denotes a 
general map applied by Eve (we do not impose that 
this map is unitary, since we are going to consider 
in the following the state shared by Alice and Bob 
after sifting). Let us denote now by Aj, Bj the 
decoding/encoding operators defined by the con- 
sidered protocol. For the SARG04 protocol, these 
are the operators defined in Eq. (3) and Eq. (5), re- 
spectively. The state describing Alice's and Bob's 
qubit pairs after sifting can be considered to be 

Pi = £>i {po) = C A J ® B J Po A ] ® B] ( 9 ) 



where C is a normalization constant which may de- 
pend on po (recall that e.g. in SARG04, the length 
of the sifted key varies with the amount of errors). 
Recall that this state is measured by Alice and Bob 
in the z-basis. Using this notation we can now de- 
fine the set Tq. It contains any state of the form 



Ai+A 2 = l-Q, 
A3 + A4 = Q. 



(12) 



P2 = Ai/V + \ 2 P<S,- + + A4P*- 



with 



Ai 
A 2 
A3 
A 4 



<$+|pi|$+) 
<$-|pi|$-) 
(tf+|pi|tf+> 
(*-|pi|*-) 



(10) 



(11) 



Those coefficients have to fulfill the normalization 
condition and the fact that the state p 2 has to be 
compatible with the estimated error, Q. Since the 
state is measured in the computational basis this 
implies 



The considered protocol, i.e. the map T>\ confines 
the A's further. Let us denote now by o ab € Tq 
the state describing Alice's and Bob's qubit. Eve 
is supposed to hold a purification of this state, i.e 
a abe is pure. Obviously, one must suppose that 
Eve has made the best attack, whence the "inn- 
mum" in Eq (7). 

• The density matrix oa'e is the state of the joint 
system of Alice and Eve, after Alice has performed 
the preprocessing. 

• As for R{ga'be)'- if one would replace the von 
Neumann entropy S by the Shannon entropy H, 
this boils down to H{A'\E) - H{A'\B) = I {A' : 
B) — I {A' : E), giving the usual Csiszar-Korner 
bound [19], see Eq. (29) below. What appears in 
Eq. (7) is thus its "quantum analog", given that 
Eve is allowed to keep her systems quantum. 

Now, we have announced that one can compute a lower 
bound on the secret key rate considering only two-qubit 
Bell-diagonal states. Precisely, this is true if Alice's pre- 
processing is bit-wise. In general, it holds that: if Alice's 
preprocessing is applied to strings of n bits, then one can 
restrict to Eve's collective attacks on n pairs. If we note 
r n the corresponding bound for the secret key rate r, one 
has r > r n > ri; it is an open problem, whether strict 
inequalities hold. 

In summary, we are going to compute the lower bound 
on the secret key rate if Alice applies a bit-wise prepro- 
cessing, i.e. Eq. (7). The quantity R(<ta'Be) is given 
in Appendix A as an explicit function of the A^. This 
expression is independent of the protocol: as mentioned 
above, only the constraints on the A,, that is the set Vq, 
depend on the protocol. Possible improvements on the 
bound may come from more-than-one-bit preprocessing, 
and/or from revealing a part of the preprocessing pub- 
licly. 



2. Lower bound for SARG04 

The SARG04 protocol uses all the four sifting sets S au] 
(a different bound is found if one considers a modified 
protocol which uses only two sets, see Appendix B). One 
finds after some algebra 



Ai 
A 2 
A3 
A 4 



C (<£+\p a \<S>+) 

C [(*-\po\*-) + ($-|po|*-> + (*+|po|* + )] 
' ($-|p |$-) + (* + |po|* + )] 
4<*-|po|*-) + ($-|/>o|$-) + (*+|p |* + >] 



c 

2 



(13) 



The following relations then hold: 
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A4 + 3A3 = 2A2 
A 4 > A 3 . 



(14) 
(15) 



x free, we obtain Ai = 
^ - x from 



Supposing that we leave A2 
1 — Q — x from (12), A3 = x — ® and A4 
(14); the positivity of A3 and (15) restrain x to lie in 
the range [Q/2,Q]. We optimize n and find it positive 
provided Q < 10.95%. If we'd have neglected the pre- 
processing, we'd have found Q < 9.68%, the same value 
obtained by Tamaki and Lo [9,20]. 



C. Singe photon: Upper bound 
attack 



A new incoherent 



As we noticed at the end of IIIBl, the bounds we 
have just obtained may be subject to some future im- 
provement when more complex preprocessing strategies 
are taken into account. In the meantime, we can easily 
derive an upper bound by computing explicitly a possible 
attack by Eve. We consider an incoherent attack, that is 
an attack consisting of (i) a unitary operation U coupling 
the qubit flying to Bob to Eve's systems; (ii) a suitable 
measurement on Eve's systems, after hearing the result 
of the sifting but before any other classical processing 
(this is the difference with collective attacks). 

Even within the class of incoherent attacks, the full 
optimization is a hard task. The problem is not really 
at the level of the unitary U. In fact, since both Alice's 
and Bob's system are qubits, Eve's ancilla may be taken 
without restriction to be four-dimensional. Thus, the ac- 
tion of the unitary on states of the form | xjj) A \ R) E can 
be specified by only sixteen parameters, not all indepen- 
dent — apart from the requirement of unitarity, we have 
imposed a symmetry on the set of states, namely that 
U realizes a depolarizing channel (1) between Alice and 
Bob with the same D for \ip) belonging to the x or to 
the z— basis. In summary, the unitary is defined by a 
number of parameters which is small (at least for numer- 
ical optimization). What is not known at all a priori, 
is the kind of measurement Eve has to perform on her 
system, which would give her the best information on 
Alice's and Bob's bits. Here, we choose a specific kind 
of measurement that can be defined for any U (Helstrom 
measurement, see below) and optimize the parameters of 
hi in order to maximize Eve's information in such a mea- 
surement. The best U found with this method is not the 
phase-covariant cloning machine, i.e. the doner which 
copies all the states of the x and the z— bases with the 
same fidelity [13]. 

This result is interesting in itself because it shows that 
cryptography and cloning are clearly different tasks. In 
fact, the "states to be copied" are the same ones in 
SARG04 as in BB84, so the optimal doner is the phase- 
covariant cloning machine in both cases. It turns out this 
doner enters also the construction of the optimal inco- 
herent eavesdropping for BB84; for SARG04 however it 
is not the case. The cause of the difference is clear: in 



optimal cloning, one wants to optimize the fidelity of the 
output states to the input state; in optimal incoherent 
eavesdropping, one wants to optimize Eve's information, 
and this is a priori a completely different problem. 



1. Eve's unitary operation 

We start by describing the unitary U which we have 
found. It is defined by its action on the z-basis of the 
qubit flying from Alice to Bob and on a reference state 
used by Eve as: 

U\az) A \R) E = Vf\o-z) b \0) Ei \MD))e 2 

+VD\-az) B \l) Ei \0) E2 (16) 



with a = ± and \ip a (D)) = ^1-D/F\0) + <t^/dJF\1). 
Here, D £ [0, ^] is the only free parameter of the trans- 
formation. Note that Eve's system is only 3-dimensional; 
we used a two-qubit notation for convenience. In fact, 
with this notation, the action of the unitary in the x- 
basis is similar to its action on the z-basis, but the roles 
of Ei and E2 are reversed: writing with u) = ±, one has 



U\ux) A \R) E = VF\ux) B \MD)) El \0) E2 

+Vd\-lux) b \0) Ei \1) E2 . (17) 

We suppose in the following that Alice publicly an- 
nounces the set {| + z), \ + x)} (i.e. Alice actually sends 
one of these two states), and that Bob accepts the bit. 
It has been verified that thanks to the symmetries of the 
attack, all the following still holds if Alice sends another 
state and/or announces another set. 

Bob 's states: Suppose for definitencss that Alice sends 
the state | + z). If we trace over Eve's system, we get 
Bob's state : 



p+ z = F\+ z)(+z\ + D\- z)(-z\. 



(18) 



Thus the effective channel induced on Alice-Bob by Eve's 
attack is a depolarizing channel (1) with disturbance D. 
If Bob measures his qubit in the z basis, then he will ac- 
cept the (wrong) conclusive result | — z) with probability 
Pace = D. If Bob now measures his qubit in the x basis, 
he will accept the (right) conclusive result | — x) with 
probability p* cc = (— x\ps\ — x) = 1/2. The quantum 
bit error rate after sifting (QBER) is therefore: 



Q = 



Pa 



D 



PScc+Pa 



1/2 + D 



(19) 



Note that, contrary to the case of BB84, Q ^ D; for 
small values of D we have actually Q ~ 2D. We shall 
come back to this point in the comparison with BB84, 
paragraph III D below. 

Eve's states: After sifting, Eve has to distinguish 
between four states, corresponding to the two possible 
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states announced by Alice and the two cases in which 
Bob accepts the item. We write these states as |^ b ), 
where a (resp. b) <G {0, 1} denote Alice's (resp. Bob's) 
classical bit: 



\^) = B (-x\U\+z)\R) 



m = 



—= {s/i - 2D 1 00) + V2D|*-)) 
v2 

B {-z\U\+z)\R) = sfD\lQ) 
B {-x\U\+x)\R) = s/D\Ql) 
b{-z\U\+x)\R) 

-L(^^2D|00)-V2D|*-)) 



(20) 

(21) 
(22) 

(23) 



with I*") = ^ (|01) - 1 10>). Note that these states are 
not normalized, but the square of their norms correspond 
to the probabilities with which they appear. Eve should 
now distinguish at best between these four states. 



1 - h(Q) as a function of the QBER, Eq. (19), in Fig. 1. 
The curve of I(A : E) for the attack using the phase- 
covariant cloning machine, taken from Ref. [8], is in- 
cluded for comparison. Our attack is slightly more ef- 
ficient in the interesting region. 

Actually, if Eve performs the measurement of Ma, she 
has a good guess on Alice's bit but a very poor infor- 
mation on Bob's bit (the only thing she knows is that 
Bob's bit is equal to Alice's with probability 1 — D). 
Similarly, with reversed roles, if Eve would measure 
M B = p| =0 - p| =1 : numerically, the I{B : E) so found 
is equal to I(A : E) found when measuring Ma', but now, 
Eve has poor information on Alice's bit. For BB84 and 
the six-state protocols, measurements have been explic- 
itly found which attain the optimal value for both Alice's 
and Bob's bits. We did not find such a measurement 
here. However, this is not important: before starting er- 
ror correction and privacy amplification, Alice and Bob 
must choose whether to perform the direct or the reverse 
reconciliation; thus Eve can simply choose the suitable 
measurement. 



2. Eve's measurement: Helstrom strategy 

We suppose that Eve uses the Helstrom strategy to 
guess Alice's bit [21]. This strategy, which may not be 
the optimal one for the present problem, consists in mea- 
suring the observable 



AT „A=0 „A=1 

Ma = Pe ~ Pe 



(24) 



where 



A=j 
Pe 



(We)We\ + We)We\) ■ (25) 



Some analytical results, which provide also a different 
perspective on Helstrom's strategy, are given in Ap- 
pendix C. Here we just sketch the calculation that can 
also be implemented numerically from the beginning. 
There are three possible outcomes e for Eve's variable 
E. The probability of each outcome is 



PE=e 



(m e \p E \m e ) 



(26) 



with pe = ^Pe~° + 5 Pi? -1 • The information Eve gets on 
Alice's bit is 

I(A : E) = H(A) - H(A\E) = 1 - Y,PE=eH(A\ E =e) 

e 

= 1 - ^2pE=,MpA=0\E=e) (27) 



where h is binary entropy and where 



PA=0\E=e = PA=0 



PE=e\A=0 _ lPE=e\A=0 



PE= 



PE= 



(28) 



with pE= e \A=o — ( m e\PE °\ m e) ■ This information is 
plotted together with Bob's information I(A : B) = 




0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 
QBER 

FIG. 1. Bob's and Eve's information on Alice's bit (before 
her possible preprocessing) for our individual attack and the 
attack using the phase-covariant (PC) cloning machine. 



3. Bound on the secret-key rate 

An upper bound on the attainable secret key rate us- 
ing one-way communication and single-bit preprocessing 
is given by the Csiszar-Korner bound [19] which reads 



r < R 



sk 



max {I (A' : B) 

A'^A 



I(A> : E)} 



(29) 



where A' is the result of a local processing of Alice's vari- 
ables. The need for this maximization went unnoticed in 
the field of QKD until very recently [11], but is indeed 
present in the original paper. Here, we consider the case 



G 



when the process A — > A' consists in Alice's nipping her 
bit with some probability q. Bob's information is now 



where 



I (A' : B) = 1 - h(Q') 



Qf = (1 - q)Q + 9 (1 - Q) . 



(30) 



(31) 



As for Eve's information, it can be calculated with 
Eq. (27) upon changing p A=() \ E=e to 



PA'=Q\E=e = (1 - q)pA=Q\E=e + qPA=l\E= 



(32) 



preprocessing allows Alice and Bob to slightly increase 
the bound on the QBER where the achievable secret key 
rate becomes zero. In the case where Alice performs 
bit-wise preprocessing as we consider here, this bound is 
14.9%. Alice will do this preprocessing only for a QBER 
close to the bound of 14.9%, with q increasing as the 
QBER increases. At the bound, q — 0.5: Alice flips half 
of her bits, so that both Bob's and Eve's information 
on her bits is completely randomized. After this opti- 
mal preprocessing, Fig. 1 would look as follows: both 
I(A : B) and I (A : E) stay the same up to Q w 14.6%; 
then suddenly both drop rapidly to zero, with their dif- 
ference given in the upper graph of Fig. 2. 

No preprocessing was taken into account in Ref. [8] for 
the attack using the phase-covariant doner. When one 
includes bit-wise preprocessing, the bound for that at- 
tack moves from 15.03% to 15.12%. Consequently, the 
attack presented here is still more efficient from Eve's 
standpoint. 



D. Single-photon: Comparison with BB84 



0.146 0.147 0.148 

QBER 



In the previous paragraphs, we have provided lower 
and upper bounds for the security of SARG04 in a single- 
photon implementation, under the assumptions of one- 
way classical processing and bit-wise preprocessing on 
Alice's side. The corresponding bounds for BB84 are 
known from Refs [11,12]. The results are: 



lower: extract a key if g^p^QQ^. 



upper: abort if 



BB84: 
SARG04: 



Q < 12.4% 
Q < 10.95% 

Q > 14.6% 
Q > 14.9% 



(33) 
(34) 



■a 
a 

3 



0.145 0.146 0.147 0.148 0.149 0.15 

QBER 

FIG. 2. Upper graph: upper bound R s k on the secret key 
rate obtained with the attack under study with (solid lines) 
and without (dotted lines) Alice's optimal preprocessing, as a 
function of the QBER. Lower graph: corresponding value of 
the optimal q. The preprocessing slightly increases the bound 
where the achievable secret key rate becomes (which we find 
to be 14.9%). 

Fig. 2 displays the upper bound on the secret key rate, 
Eq. (29), with and without Alice's bit flipping (upper 
graph) and the corresponding optimal value of q (lower 
graph) as a function of the QBER. We can see that this 



Looked that way, SARG04 compares almost on equal 
ground with BB84 in a single-photon implementation. 

Experimentalists would however have a different look. 
Consider for a moment a detector with no dark counts, 
or more realistically, a situation in which the number 
of dark counts is negligible compared with the detection 
rate. In all practical experiments to date, the noise is 
such that the effective channel £ between Alice and Bob 
becomes a depolarizing channel (1) characterized by its 
visibility V. 

In BB84, for such a channel, the error rate on the sifted 
key is independent of the state \ip): in fact, when the good 
basis has been chosen, one has simply p r i g ht 
Pwrong = ■ Consequently 



1±Z and 



Q 



Pwrong 



BB84 



1 - V 



Pright T Pwrong 



(35) 



In SARG04, the situation is different. If Bob chooses the 
good decoding basis (which is not the basis in which the 
qubit was encoded), then whenever he accepts, he guesses 
always right, and this happens with probability p r % g ht = 
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i independently of V. If Bob chooses the wrong decod- 
ing basis and accepts, then he always guesses wrongly; 
and this happens with probability p wron g = ■ Thus 

Q _ Pwrong SARGQ4 1 — V ^ ^ _ y j-gg-j 

Pright ~t~ Pwrong 2 V 

Note that we have already derived this formula above, 
Eq. (19) with D = i^. For a fixed visibility, the QBER 
of SARG04 is almost twice the QBER of BB84. In this 
sense, the bounds of SARG04 compare unfavorably to 
BB84 in a single-photon implementation [22]. 

IV. PRACTICAL IMPLEMENTATION 

As we stressed in the Introduction, it has not yet been 
possible to give the most general security criteria with- 
out adding assumptions about some simplified compo- 
nents. While theory progresses, experimentalists need 
realistic figures to design their experiments and to evalu- 
ate their results. These figures must take into account all 
the meaningful parameters characterizing Alice's source, 
the line ("quantum channel") linking Alice to Bob, and 
Bob's detectors. 

To compute these figures, we have to make several as- 
sumptions, which will be stated precisely in what follows, 
but in general fall into two categories: 

• We restrict the class of Eve's attacks, taking into 
account only incoherent attacks, among which the 
PNS and its variants play the most important role. 
This assumption leads to an underestimate of Eve's 
power. 

• We also have to specify the kind of check that Al- 
ice and Bob perform on their data. Apart from the 
estimate of the QBER, Alice and Bob can check 
the transmission of the line and more precisely the 
statistics of the number of photons. 

The Section is structured as follows. First, we describe 
the source, the line and the detectors (IV A), the ex- 
pected parameters in the absence of Eve (IV B) and the 
hypotheses on Eve's attack (IV C). Then, we present the 
results of numerical optimizations (IV D); in the case of 
perfect optical visibility V = 1, we provide also approx- 
imate analytical formulae. The last subsection (IV E) is 
devoted to a balance of the results obtained for SARG04, 
in comparison with BB84. 

A. Description of the source, the line and the 
detectors 

Alice's source: Alice encodes her classical bits in light 
pulses; since a reference for the phase is not available to 
Eve and to Bob, the effective state prepared by Alice is 
a mixture which is diagonal in the photon-number basis: 



Pa = J^Pa(^) \n,p)(n^\ (37) 

n=0 

where \n^) represents the state in which n photons arc 
present in the state \ip). In most practical QKD setups, 
Alice's source is an attenuated laser pulse, so 

p A {n)=p{n\ l i) = (38) 

the Poissonian distribution of mean photon number ji. 
In this paper, the formulae where the notation pA{n) (or 
PB(n), see below) appears explicitly are general, all the 
others suppose (38) to hold. 

Alice-Bob quantum channel: The quantum channel 
which connects Alice and Bob is characterized by the 
losses a, usually given in dB/km (for optical fibers at 
the telecom wavelength 1550nm, the typical value is 
a ~ 0.25dB/km). The transmission of the line at a dis- 
tance d is therefore 

t=W- ad/w . (39) 
The probability that Bob receives n photons is 
p B (n) = PA{m)C n m t n {\ - t) m ~ n ( = ] p{n\tit) (40) 



where CJ^ = n \( ™L n )\ ■ The other meaningful parameter 
of the channel is the fidelity of the transmission F (or 
the disturbance D = 1 — F). We assume a depolarizing 
channel (1): 

S[\+z)]=F\+z)(+z\+ D\-z)(-z\ (41) 
= \\+x){+A + ^|-a;)<-:c|+off-diag. (42) 

and recall the link (2) between the parameters F and D, 
and the visibility V. 

Bob 's detectors: Bob uses single-photon counters with 
a limited quantum efficiency n and a probability of dark 
count per gate pd- For simplicity of writing, in some 
intermediate formulae we shall write f\ = 1 — n and 
Pd = 1 — pd- The gate here means that Bob knows when 
a pulse sent by Alice is supposed to arrive, and opens 
his detectors only at those times; so here, "per [Bob's] 
gate" and "per [Alice's] pulse" are equivalent. Typical 
values nowadays are n ~ 0.1 and pd ~ 10~ 5 — 10~ 6 for 
the detection of photons at telecom wavelengths. 
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B. Bob's detection and error rates 

Bob receives n photons with probability given 
in (40). We want to compute his detection and his error 
rate. For definitencss, we suppose from now on that Alice 
sends \sent) = \+ z), and publicly declares this state and 
\declared) = | + x). Bob guesses correctly if he measures 
in the x basis and finds \ok) = \ — x), he guesses wrongly 
if he measures in the z basis and finds \wrong) — \ — z). 

Among the peculiarities of SARG04 which must be dis- 
cussed, is the role of double clicks. In BB84, when both 
detectors click, the item is discarded: in fact, a double 
click can appear only if (i) Bob has received and detected 
two photons, in the wrong basis, or (ii) Bob has detected 
just one photon but has had a dark count in the other 
detector; in both cases, there is no way to tell the value 
of the bit sent by Alice. In SARG04, things are different 
because Bob guesses correctly the bit when he measures 
in the "physically wrong" basis (basis x with our con- 
vention). A double click may mean precisely that the 
basis chosen by Bob is not the one chosen by Alice, and 
this gives the information on the bit. But the dark count 
case is still there, and introduces errors. In this paper, for 
simplicity we suppose that items with double clicks are 
discarded from the key, as in BB84; however, their rate 
is monitored, to prevent Eve from achieving an effective 
modification of 77, see IV C. 



1. Zero-click rate 



standard calculation [23] , we obtain for a Poissonian dis- 
tribution 

C a z cc (V) = (1 - Pd )[p(0\F^ V ) - (1 - Pd )p(0\nt V )] . (45) 

In the limit \itr\ <C 1 (and pd <C 1, which is always the 
case), one finds C* CC (V) s=s D/j,trj + pd- We highlighted 
the dependance of these quantities on V because it will 
be important for what follows. 

When Bob now measures in the x basis, he accepts the 
(right) bit if he gets a click on the | — x) detector, and 
no click on the | + x) detector. Because of (42), we just 
have to change F to \ in the previous formulae: 

PacAn) = (1 - Pd) [(1 - r,/2) n (1 - P«0(1 - VT] , (46) 

so that for Poissonian sources C t f cc = (1 — 
p d ) [p(0\fitr]/2) - (1 - p d )p(0\fitr])] w \ iitrt + p d . Since 
the two bases are randomly chosen, the global probability 
for Bob to accept a click is 

p acc (n, V) = ^ p x acc (n) + 1 p z acc {n, V) , (47) 

and the accepted-click rate on Bob's side (i.e. the length 
of the sifted key) is 



Cacc{V) = \c^ c + l -C^ c {V). 



(48) 



When n photons arrive, the probability of not having 
any click is independent of the basis chosen by Bob and 
is given by 



p (n) = (l-p d ) 2 (l-v) n - 



(43) 



The corresponding zero-click rate is Co = 
Y, n >oPB( n )Po(n) = (1 - Pd) 2 P (0\fJ.tr)) i.e. there are 
no dark counts and no photon is detected. 



2. Sifted key and QBER 

The accepted-click rate on Bob's side is the sum of two 
terms. When Bob measures in the z basis, he accepts 
the (wrong) bit if there is one click in the | — z) detector 
(whether it is due to a photon or to a dark count), and no 
click in the | + z) detector. When n photons arrive, the 
probability of having a click only on the | — z) detector 
is 



PaccK V) = V C k n F k D n - k [p- d t] [1 - m 



n— fel 



fc=0 



= (1 - Pd ) [(1 - Fr,) n (1 - Pd)(l V) n ] , (44) 

with C k = k \f£-k)\ ■ The accepted-click rate in the z ba- 
sis is then C* CC (V) = J2 n >o PB{n)p* cc (n, V); using some 



All the items C £ f cc being correct and all the items C* CC (V) 
being wrong, the QBER is 



Q = 2 acc 



(V) 



C acc (V) 



For pd <C utr] <C 1 and D « i, we find 



Q w 2D + 2-^- = Q opt + Qdet , 
lj.tr] 

Cacc(V) W J fltrj (I + Qopt + 2Q d et) 



(49) 

(50) 
(51) 



As expected, the sifted-key rate increases in the pres- 
ence of errors. Note also that the QBER is twice the 
one expected for BB84, for the same parameters: now, 
\i is going to be larger for SARG04 than it is for BB84, 
so that Qdet is not really larger; however, D is fixed by 
the visibility: SARG04 is thus more sensitive to losses of 
visibility than BB84 is. 

Finally, allowing for Alice's preprocessing, the mutual 
information between Alice and Bob is 



I(A' : B) = C acc (V) (1 - h(Q')) 
with Q' related to Q (49) as in Eq. (31). 



(52) 
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3. Double-click rate 



The calculation of the double-click rates C^ z is sim- 
ilar to the one of C£g. For each basis, it holds C%' z = 
J2n>2PB{n) pZ' Z ( n ) where p^' z (n) is the probability of a 
double click conditioned on the fact that exactly n pho- 
tons reach Bob. Consider first the z basis: one has to 
modify (44) in order to describe a click in both detectors, 
so we have to replace [p"d?7 fe ] with [l — p~ d fj k ] ■ Thence 

pi(n, V) = 1 — (1 — Pd )[(l - Frf) n + (1 - Drj) n ] 

+ (l- Pd f(l-il) n - (53) 

The double-click probability in the x basis is obtained by 
replacing both F and D by |; by comparison with (43) 
and (46), one finds 



p 2 x (n) = l-po(n)- 2p* cc (n). 
For Poissonian sources, this yields [23] 



(54) 



C 2 Z (V) = 1 - (1 - Pd M0\nt V F) + p(0\pt V D)} 

+ (1 - Pd) 2 p(0\&v) , (55) 



and Cf 



1 — (1 — p d )p(0\ptrj/2) . Having written 

down all Bob's parameters, we can move on to present 
the class of attacks by Eve that we consider. 



pulses which reach Bob obey the statistics p_B|£;(n) a pri- 
ori different from the expected one (40). The most gen- 
eral assumption would consist in leaving fs|_E(n) com- 
pletely free, and estimate Eve's information from it. 
The most conservative assumption consists in requiring 
PB\E( n ) = PB(n) for all n, and aborting the protocol 
if this requirement is not fulfilled; this is the spirit of 
decoy-state protocols [6]. In this paper, we choose an in- 
termediate requirement: we constrain Eve to reproduce 
the expected count rates C t f cc , Cf and the rate of no 
detection (note that the rate of inconclusive detections 
will be reproduced as well). This assumption is consis- 
tent with the idea of introducing no modification in the 
hardware: without allowing for decoy states and/or more 
detectors, these rates are the only parameters which can 
be measured. Eve has also a constraint on C* cc and C 2 Z , 
though of a different nature: these two quantities must 
depend on a single parameter V according to Eqs (45) 
and (55). 

Hypothesis 3: We work in the trusted- device scenario. 
While the optical error D in the quantum channel (the 
imperfect visibility) is entirely attributed to Eve's inter- 
vention, we assume that Eve has no access to Bob's de- 
tector: rj and p d are given parameters for both Bob and 
Eve. Eve will of course adapt her strategy to the value 
of these parameters, but she cannot modify them [25]. 



2. More on the class of attacks 



C. Eve's attacks: hypotheses, information and 
constraints 

1. Overview of the hypotheses 

Some of the hypotheses on Eve's attacks have been 
rapidly introduced in the previous paragraphs. Here we 
make the exhaustive list of the assumptions. 

Hypothesis 1: Eve performs incoherent attacks: she at- 
tacks each pulse individually, and measures her quantum 
systems just after the sifting phase. This hypothesis al- 
lows to perform explicit calculations of an upper bound 
for the secret key rate. We shall say more on these at- 
tacks in the next paragraph (IV C 2). The hypothesis of 
incoherent attacks implies in particular that after sift- 
ing, Alice, Bob and Eve share several independent re- 
alizations of a random variable distributed according to 
a classical probability law. Under this assumption and 
the assumption of one-way error correction and privacy 
amplification, the Csiszar-Korner bound applies [19] and 
the achievable secret key rate is given by (29) [24]. 

Hypothesis 2: Eve can replace the actual channel with 
a lossless channel. This allows her to take advantage 
of the losses: she can block pulses on which she has 
poor or no information, keep some photons out of multi- 
photon pulses, etc. Because of Eve's intervention, the 



In Hypothesis 1, we have explained that we restrict to 
incoherent attacks. Here is a detailed description of Eve's 
strategy. Eve, located immediately outside Alice's sta- 
tion, makes a non- demolition measurement of the num- 
ber of photons n in each pulse. This does not introduce 
any error because pa (37) is diagonal in the Fock basis. 
Based on this information, Eve implements an attack K 
with probability pm (n) , so that the channel Alice-Bob is 
of the form 

Pb = £[pA] = ^2pA(n)^2p K (n)£ K [\n 4 ,)(n i ,\}. (56) 

n K|„ 

These are the attacks that we investigate: 

S: Storage attack: if n > 2, Eve can choose to store k < 
n photons, while forwarding the remaining n — k 
photons to Bob on the lossless line. When Alice re- 
veals the states, Eve makes the measurement that 
maximizes her information, thus guessing Alice's 

bit correctly with probability pk = \ + \ \j\ — ^r- 

This is the original type of PNS attack [5] . After 
Alice's possible preprocessing (bit flip with prob- 
ability q), Eve's guess is correct with probability 
p' k = (1 — q)pk + q(l — Pk)] whence Eve's informa- 
tion becomes 

Js(fc) = 1 - h(p' k ) (57) 
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conditioned on Bob's accepting the item. We de- 
note by s(k\n) the probability that Eve, having cho- 
sen to perform a storage attack, stores exactly k 
photons. 

I: Intercept- Res end attack: if n > 3, the four states 
\tp)® n , with |?/>) = | ± z) or | ± x), become linearly 
independent. Eve can then perform an unambigu- 
ous discrimination of the sent state, whose proba- 
bility of success is 

/i \ L("-i)/2J 
Pok(n) = 1 - (2 J ( 58 ) 

(for n > 3, this is a numerical result [8]). In case of 
success, Eve has full information about the bit and 
she forwards m new photons to Bob prepared in 
the state (any value m is chosen with probabil- 
ity r{m\n)). Otherwise, she blocks the item. Note 
that this strategy, contrary to the storage attack, 
requires neither a quantum memory (obviously) nor 
a lossless line: having succeeded unambiguous dis- 
crimination, Eve have the new photons prepared 
by an accomplice of hers who is close to Bob's lab. 
This form of PNS attack has been first discussed by 
Dusek and coworkers [26] . After Alice's preprocess- 
ing, Eve's information in case of success becomes 

h{n) =h = l- h(q) (59) 

again conditioned on Bob's accepting the item. 

U: Unitary interaction: Both the S and the I attacks 
provide Eve with information only thanks to the 
losses, and don't introduce any error in Alice-Bob 
correlations (V = 1). If there is a reduced visibility 
V = 1 — e, Eve can also take advantage of it by 
performing an attack which introduces some errors 
(and no losses). Noting that information on pulses 
with n > 2 can be obtained using S or (for n > 3) 
I, we suppose that errors will be introduced only to 
gain information about n = 1 items. Moreover, as 
mentioned above, e is typically quite small: instead 
of tackling the very hard problem of optimizing this 
family of attack, for simplicity we choose a repre- 
sentative, namely the attack developed in section 
IIIC. As described there, she obtains an informa- 
tion 

I V (D) = 1 - J2PE=-MPA>=0\E=e) ■ (60) 

e 

The important point to stress is that in the unitary 
operation U one must insert a value D = |(1 — V) 
which is in general larger than the average error D 
(in other words, V < V). This is because Eve in- 
troduces only errors in a fraction of the pulses, so 
in those items she can introduce more perturbation 
than the average [27]. 



B: Eve blocks all the n photons. In this case of course, 
Bob receives nothing and can accept the item only 
in the case of a dark count. On the one hand, Eve 
is willing to block a pulse only when she has small 
or no information on it (typically, one- and two- 
photon pulses). On the other hand, Alice and Bob 
will always choose \i such that Eve will not be able 
to block all single- and two-photon pulses without 
changing Bob's expected detection rate. Therefore, 
we set 

PB (n)=0 for n>3. (61) 



L: Finally, Eve may be forced to let all the photons in 
the pulse go to Bob in order to preserve the count- 
ing rates. In this case, Bob may accept the item 
but Eve doesn't get any information on Alice's bit. 
However, we shall consider 

p L (n)=0 for all n. (62) 



The reason is as follows. For n = 1, Eve applies 
the U strategy which does not reduce the counting 
rates and gives her some information (for V = 1, 
the U strategy with a disturbance D — is equiv- 
alent to Pl (I))- For n > 1, when losses are large 
enough, that is at not too short distances, condition 
(62) is obviously part of the best strategy for Eve. 
So, the only effect of this condition is to prevent 
us from studying SARG04 at short distances (for 
the values of the parameters used below, in par- 
ticular for rj = 0.1, the shortest distance at which 
constraints can be satisfied is found to be ~ 24 km). 



Note that, for the qubit encoding, the channel (56) be- 
haves as a depolarizing channel. In fact, attacks S and 
I don't introduce any error, and attack U was shown in 
III C to induce a depolarizing channel between Alice and 
Bob. 

A comment is needed about the exhaustiveness of our 
list of attacks. We have stressed enough that U is not 
optimized. The list of zero-error attacks, on the contrary, 
is fairly complete among the incoherent PNS attacks for 
the analysis of SARG04 [28]. One may well construct 
more general strategies: e.g., for n = 5, Eve may try I on 
three photons, and if she does not succeed, she performs 
S on the remaining two. However, the mean number of 
photons \i will be chosen small enough, so that the mean- 
ingful items are those with n < 3, n = 4 items playing 
the role of small correction and all the higher-number 
items being completely negligible. 
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3. Eve's information and constraints 

We are now able to write down formulae for I(A' : E) 
and for the constraints which Eve must fulfill. For each 
n, Eve uses strategy X with probability px(«), so that 
it holds 



n = 1 
n = 2 
n > 3 



p B (l)+Pu(l) = 1, 
PB (2)+ps(2) = l 
Ps(n) +Pi(n) = 1 . 



(63) 
(64) 
(65) 



Under this family of attacks, Eve's information on Alice's 
bits after sifting and preprocessing is 

I(A' : E)= PA (l)p v (l)I v (D) Pacc (l,V) 

n-1 

+ ^2PA(n) ps(n) ^2 s{k\n)Is(k)p aC c(n - k, 1) 

n>2 k=l 

+Pi(n)pok(n) h ^r(m\n)p acc (m,T) (66) 

m>l 

where the p aC c(n-i V) & r e given in (47). 

Eve is going to choose her parameters in order to max- 
imize I (A' : E), under the constraints described in Hy- 
pothesis 2. To write down these constraints, one first 
notes that the number of photons that reach Bob is dis- 
tributed according to 

PB\E(n > 0) = 6 n ,i pa(1)pu(1) 

+ pA(rn)ps(m)s(m — n\m) 



with V the average visibility that Eve chooses to intro- 
duce and q(l) = pa(1)pu(1) the only cases where Eve 
introduces errors. Note that the value of V is defined by 
Eqs (72) and (73). 

The five constraints (69)-(73) are actually not indepen- 
dent and can be reduced to the following set (derivation 
in Appendix D): 

Vb\e ■ f (1) = Vb ■ f (1) , (74) 
V m ■ f (1/2) = V B ■ f (1/2) , (75) 
p A (l)p u (l)r ] D='PB- (f(F)-f(l)) (76) 

where we have stored the probabilities ps(n) and pB\E(n) 

in the vectors T B and Vb\e and where the vectors T(x) 
depend only on the detector's efficiency rj, their respec- 
tive components being -) n {x) = (1 — xrj) n for all n > 0. 
In particular, the last condition (76) together with (63) 
determines the error D that Eve can introduce on all the 
one-photon pulses that she does not block. As expected, 
this relation reduces to D = in the case V = 1. 

In the case where Alice holds a Poissonian source with 
mean photon number /j,, we have Vb • r(^) = p(0\x fj,tt]) , 
whence (74)- (76) read explicitly 



PA(m)pi(m) Pok (m)r(n\m) , (67) 

(68) 



rn > 3 



PB\E{n = 0) = 1 - Y PB\E{n) ■ 

n>0 



Of course, there is no reason for PB\E( n ) to be Poisso- 
nian, even if Pa(ti) is. Now, according to Hypothesis 2, 
Eve is constrained to fulfill 

^2pB\E(n)p (n) = ^2p B (n)p a (n) (69) 

n n 

J2PB\ E (n)Pacc(n) = ^2p B (n)Pa CC (n) (70) 

n n 

YpB\E{n)pZ(n) = YpB{n)p%{n) (71) 

n n 

^p B \E(n)p* cc (n,l) + q(l)[p* cc (l,V) -p* cc (l,l)] 

n 

^Y,PB{n)p z acc (n,V) (72) 

n 

Y,PB\E(n)pi(n, 1) + 9 (1) [p|(l, V) - pi(l, 1)] 

n 

^J2p b ^P2^ v ) ( 73 ) 



Vb\e ■ f (1/2) 

p(i|/i)pu(i)t?5 



P(0\t*tr)), (77) 
■ p(0\titr)/2), (78) 
:p(0\ntriF)-p(0\ntn). (79) 



D. Optimization over Eve's strategy and Alice's 
parameters 

We have at present collected all the pieces which are 
needed for our study. For any fixed value of and q, 
Eve is going to choose her parameters px(n), s(k\n) and 
r(m\n) in order to maximize I(A' : E) [Eq. (66)] under 
the constraints (77)-(79). Alice and Bob must choose \i 
and q in order to maximize R s k [Eq. (29)], with I (A' : B) 
given in Eq. (52) and with I{A' : E) computed as just 
described. This double optimization will be done numer- 
ically; for the case V = 1, we shall also provide some 
analytical approximations, both as a consistency check 
for the numerics and as a tool for practical estimates. 



1. Restricting the number of free parameters 

Even in the perspective of using a computer, we have to 
simplify the problem further: the number of free param- 
eters is a priori infinite. In particular, we have to discuss 
the probabilities s(k\n) and r(m\n) associated, respec- 
tively, to the S and I attacks. These are related to the 
number of photons that Eve forwards to Bob. We first 
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notice that the constraints (77) and (78) can be satisfied 
up to the order 0(fitr]) 3 by setting 

Pb\e(1) =nt- {pfi? (80) 

Pb\e{2) = \(vtf (81) 

and all the others PB\E( n > 2) = 0; that is, for each item, 
Eve forwards either one or two photons to Bob. We con- 
sider that Eve forwards two photons only after some I 
attacks, because this does not cost her any information; 
whereas, would she forward two photons in a S attack, 
fewer photons would be left in her quantum memory to 
estimate the state. When Eve performs the I attack on 
a 3-photon pulse, she can forward either one or two pho- 
tons; when she performs it on a higher-n pulse, she always 
forwards two photons. In conclusion, we assume 

s(k\n) = 6k, n -i for all n, (82) 
r(2|3) = l-r(l|3), (83) 
r(m\ri) = 5 2 , m for all n> 4. (84) 

Summarizing, the free parameters for Eve's attack are 

{pu(l),Ps(2),p S (3),Pi(3,2),p s (4),...,p s (n ma;c )} (85) 

where pi(3, 2) = pi(3)r(2|3) and n max is a cutoff in the 
number of photons allowed in a pulse — we have chosen 
n max — 7 in what follows, although a posteriori we veri- 
fied that n ma x = 5 would have given the same results but 
for the shortest distances that we considered. This choice 
of free parameters, in particular the choice of Pi(3, 2) in- 
stead of r(2|3), is useful because all the constraints (80), 
(81) and (79) become linear in the parameters; of course, 
one must add a fourth linear constraint, namely 

Ps(2)+Pi(3,2)< 1. (86) 

Maximization of a function (here, Eve's information) un- 
der a set of linear constraints is achieved in Matlab with 
the pre-defined function fmincon. At this point, we can 
run our numerical optimization of ji as a function of the 
distance. 

2. Results, part 1: Eve's parameters 

We have run our software with the following parame- 
ters: a — 0.25, r\ = 0.1, Pd = 10~ 5 . These are not the 
very best values that we can achieve in the laboratory, 
but we have already used them many times and it will 
be useful for comparison, especially with Ref. [15]. The 
numerical simulation achieves a faithful result only for 
d > 24 km, because of Eq. (62), and for V > 0.92 (recall 
that for V < 0.825 the secret key rate becomes zero even 
in a single-photon implementation; it is then not aston- 
ishing that the visibility becomes more critical when Eve 
can take advantage also of multi-photon pulses). Here 
is what is observed for the optimal parameters of Eve's 
attack: 



• n = l: pu(l) is always zero for V = 1. This means 
that in this case Eve blocks all the single-photon 
pulses. For V < 1, it turns out that D is con- 
stant at the value Dq = 0.191 over all the distances 
(more precisely, over all the distance for which the 
best preprocessing by Alice consists in doing noth- 
ing, which are all the region of interest as will be 
explained later). The value of Pu(l) is thus deter- 
mined by (79). 

• n = 2: ps(2) is between zero and one. This means 
that Eve cannot block all the two-photon items. 

• n = 3: ps (3) is zero, pi(3, 2) is between zero and 
one. That is, when the pulse contains three pho- 
tons, Eve performs always the I attack; sometimes 
she sends out one photon and sometimes two. Ac- 
tually, this rate of forwarding two photons is al- 
ready enough to reproduce the constraint (81), as 
is implied by the following item. 

• n > 4: Ps(ti) = 1: Eve performs always the S at- 
tack. 

Remarkably, most of the features of Eve's optimal at- 
tack can be re-derived analytically and the derivation is 
independent of the form of the pa(ti). This is expected, 
because Eve first measures the number of photons n, then 
adapts her strategy to her result; thus, the frequency of 
occurrence of any value of n does not play any role in 
defining her best attack for each n although it will 
of course determine the fraction of information that each 
attack provides her. The price to pay for the analytical 
approach is that, to avoid getting lost, one has better 
neglect the constraint (81) on two photons. We present 
this analytical derivation in Appendix E. In summary: a 
numerical approach, which assumes a Poissonian distri- 
bution for Alice's source and can deal with the full set 
of constraints, and an analytical one, in which the in- 
dependence of the source's statistics is explicit but the 
constraints must be simplified, converge to the same re- 
sult: we have indeed found Eve's optimal attacks within 
the class which we are considering, independently of the 
statistics of Alice's source — our assumptions on Eve's 
attacks are reasonable provided the source is such that 
p A (l) > p A (2) > p A (3)... 



3. Results, part 2: \i and R ak 

Having Eve's best attack, we can compute for any dis- 
tance the optimal value of \x and the corresponding upper 
bound R s k on the secret key rate. The results of numer- 
ical optimization are shown in Fig. 3. Several points are 
worth stressing: 



13 



• We recall first that these results are valid for a large 
but still restricted class of attacks by the eavesdrop- 
per, according to the hypotheses described in IV C 
and IV D 1. Moreover, the curve for V = 0.95 de- 
pends also on our choice of introducing a U attack 
only on the n = 1 pulses. Thus, R s k is an up- 
per bound on the achievable secret key rate, which 
remains to be computed. 

• The optimal value of p is above 0.1 for all the 
range that we considered, both for V = 1 and 
for V = 0.95; for d = 24km and V = 1 we have 
fJ-opt = 1-55. In contrast to the case of BB84 [15], 
fj, does not decrease faster to zero as the critical 
distance approaches. 

• Alice's preprocessing is non-trivial (q > 0) only 
in the critical region where the presence of dark 
counts bends the curve below the linear (in log 
scale) regime. In principle, one tends to avoid work- 
ing in that region. 

As in the case of Eve's parameter, we complement 
the numerical optimization with some analytical studies, 
even at the price of some approximations: this is useful 
both to legitimate the numerical result and to provide 
formulae for rapid estimates. We consider fitrj -C 1 and 
obviously pd <C 1. We suppose that Eve forwards always 
one photon to Bob, thus taking the one-photon constraint 
(80) at the leading order and neglecting the two-photon 
constraint (81); in addition, we restrict to the case V = 1, 
whence constraint (79) is automatically satisfied, and we 
neglect Alice's preprocessing by setting q = 0. From the 
study of Eve's attack we know that we can set Pu(l) = 0, 
Ps(3) = and ps(n > 4) = 1. For a Poissonian source 
then 



I(A : B) 
I (A : E) 

with 



(/it7 s (l) + ip(3|/i)(l-Z s (l)) 
+ £>(n|/i)(Js(n-l)- Js(l)) 

n>4 

Q00 = 



(87) 



Bin 

2p d 



(89) 



These are non-algebraic functions, so the analytical max- 
imization of R s k is still impossible; but it is easily done 
numerically. It yields a careful estimate of both p and 
R s k in the typical working regime (40-70 km in Fig. 3), 
diverges for shorter distances and underestimates the lim- 
iting distance. Thus, in practice, one can use these two 
equations to estimate the optimal parameters and to keep 
away from the limiting distance. 

In order to reach analytical approximate solutions to 
the maximization problem, we further neglect the cor- 
rection 1 — h{Q) in the expression of I(A : B) (i.e. we 



suppose ptrj 3> pd), the contribution of the pulses with 
n > 4 photons in the expression of I {A : E), and the 
factor e _/i in p(3\p) — this last assumption is the worst 
one, because we are dealing with p > 1 at short distance. 
That leads to 



iU«|(l-Js(l)) 



(90) 



The optimum is 



Rsk ~ j(l - Is(m 3/2 for fi opt = 2Vt. (91) 



These values are plotted in Fig. 3 together with the re- 
sult of the exact numerical optimization. We see that 
the approximations are rough as expected but grasp the 
correct order of magnitude. Finally note that, contrary 
to the case of BB84 [15], we have not been able to find a 
closed analytical expression for the limiting distance, the 
difference here being that [i does not fall rapidly to zero 
when approaching this distance. 




50 60 70 

distance [km] 
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FIG. 3. (Color online) Optimal [i and upper bound R a k 
on the secret key rate per pulse (log scale) for Poissonian 
sources as a function of the distance, for a — 0.25, r\ = 0.1 
and pd = 10 -5 , and for V = 1 and 0.95. The full thick lines 
are the result of the numerical optimization, considering also 
Alice's preprocessing; the dashed thick lines are the same, 
without Alice's preprocessing (q — 0). The full thin lines are 
the analytical approximations for V = 1, Eq. (91); the dashed 
thin line in the upper figure is the critical value /i = 2\/3T at 
which R s k = according to the approximate formula (90). 



E. Attenuated laser: Comparison with BB84 



Finally, we compare the performances of the SARG04 
and those of the BB84 under identical conditions, from 
Ref. [15]. Since Alice's preprocessing was not taken into 
account in that work, for coherence we compare the re- 
sults for q = — it is not difficult to see that the con- 
tribution of this preprocessing in BB84 is numerically 
negligible, as it is for SARG04 [29]. 

The optimal fj, and the upper bound R s k on the se- 
cret key rate are plotted in Fig. 4. We see that SARG04 
allows an increase of the secret key rate at moderately 
large distance and of the limiting distance. It seems that 
BB84 achieves a better secret key rate at short distance. 
Although we cannot make any final commitment because 
we have made hypotheses that prevent us to study that 
regime, one might understand it from the following argu- 
ment: at short distance, Eve can do essentially no PNS 
attack for inefficient detectors; therefore, the sifting ra- 
tio becomes the important parameter — now, in SARG04 
only one quarter of the items are kept, while in BB84 half 
of the items are kept. 

The present analysis supersedes the one made in Refs 
[7,8], which supposed a fixed value of /x for all distances. 
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FIG. 4. (Color online) Optimal /j, and upper bound R a k 
on the secret key rate per pulse (log scale) for Poissonian 
sources as a function of the distance, for a — 0.25, r\ — 0.1 
and p d = 10" 5 , and for V = 1,0.95. Thick lines: SARG04 
(identical to Fig. 3, with q — 0); thin lines: BB84, under the 
same conditions. 



V. CONCLUSION 

In conclusion, we have studied the SARG04 protocol 
for two different types of source of light on Alice's side. 

For the implementation using single-photon sources, 
we have obtained a lower and an upper bound for security 
against all possible attacks by the eavesdropper. These 
bounds are close to those obtained for the BB84 proto- 
col. However, if a channel of a given visibility is available, 
then the QBER of SARG04 is twice the QBER of BB84. 
Interestingly, the upper bound for SARG04 was obtained 
for an incoherent attack based on a unitary which is not 
the phase-covariant quantum doner. 

For the realistic implementation using an attenuated 
laser (Poissonian source), we have restricted the class 
of Eve's attacks to incoherent attacks, in particular the 
most studied forms of PNS attacks. In this case, SARG04 
performs better than BB84, both in the achievable secret 
key rate and in the limiting distance. 
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These results strengthen the conclusion of Refs [7,8,30]: 
once quantum correlations have been distributed, differ- 
ent ways of encoding and decoding the classical infor- 
mation lead to different performances according to the 
physical characteristics of the setup. The full potentiali- 
ties of this insight have still to be developed. 
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APPENDIX A 

In this appendix we give more details about the calcu- 
lation of the lower bound. The following is not specific 
to the SARG04 protocol, but can be applied to any pro- 
tocol. As discussed in IIIB, in order to compute a lower 
bound on the secret key rate, we can consider the state 
that Alice and Bob share before the preprocessing to be 
of the form (10), which we rewrite here: 

P2 = AiP$+ + A 2 P$- + A 3 P*+ + A 4 P*- . (Al) 

Eve holds a system which makes a purification of p 2 : 

Ix) ABE 

= AB \0Q) E + ) AB \01) E 

+^\^ + ) AB \io) E + ^\^-) AB \n) E (A2) 

Eve's and Bob's partial states are respectively: 



p E = diag(Ai, A 2 , A 3 , A 4 ) , ps = ^ 1 



(A3) 



whence S(p E ) = - J2i^i lo S A; and S{p B ) = 1. 

When Alice has measured |0) or |1), Bob and Eve share 
one of the states : 



IXo) BE oc a(0\x)abe 

= |o) b U/a7|oo) + v^|oi»b 

+|l) s (yA^|10) + v / A7|ll)) B 
\Xi)be « a{1\x)abe 

= |0) B (v/A^|10) - VM\11))e 

+|i> s (v / a7|oo) - v^|oi»s, 

which give in the computational bases 

/ Ai V A1A2 \ 



P E = 



_ _ VA1A2 

V Ai A 2 A 2 



A3 V A3A4 
VA3A4 A4 J 



(A4) 



(A5) 



(A6) 



Pe 



and 



V 



Ai —yj Ai A 2 
- \/ Ai A 2 A 2 



\ 



VA3A4 



(A7) 



/ Ai + A 2 
rL: ~ { A 3 + A 4 

1 / A3 + A4 
pB ~ I Ai + A 2 



— VA3A4 A 4 J 
l-Q 



Q 



Q 



l-Q 



(A8) 
(A9) 



If q = pa'^a denotes the probability for Alice to flip her 
bit (preprocessing), the state of Alice and Eve is 

PA>E = \[({l-q)\0){0\ + g|i><i|)®pS, 
+ (g|0)<0| + (l-g)|l)<l|)®/4 
= l|0)(0|®a° +1|1)(1|®4, (A10) 

where a° E = (1 - q)p° E + qp\ and a E = qp% + (1 - q)p E . 
Then, 



S(pa'e) = 1 + \s{a%) + l -S{a E ). 
With similar notations, 

S(pa'b) = 1 + \s{a%) + l -S{a B ) . 



(All) 



(A12) 



Finally, 

R(<?a>be) = S(pa'e) - S(p E ) - [S(pa'b) - S(p B )] 
= \ [S{a%) + S{a E )-S{a%)-S{a B )} 



+1 - S(p E ) ■ 



(A13) 



This is the function which must be optimized over the Aj 
compatible with the constraints (which define the proto- 
col) and over the bit-wise preprocessing: 



n = sup inf R(<t a , be ) ■ 

g€[0,0.5[ A ' s 



APPENDIX B 



(A14) 



In the main text, we have computed the lower bound 
for the SARG04 protocol implemented with single- 
photon sources. One might ask what happens if the 
S ARG04 protocol is modified if only two " opposite" sift- 
ing sets, say S ++ and S , are used instead of all the 

four. 

The interest of the two-sets protocol is a practical one. 
The sifting of the four-sets protocol requires Alice to use 
a random bit for each item (for instance, if she has sent 



1G 



I + z), she must still decide whether to announce 5++ or 

iS-l ) . In a true implementation, the production of local 

random bits is one of the most time-consuming tasks. In 
the two-sets protocol, an easier sifting procedure can be 
implemented: for instance, Bob reveals whether he has 
got a detection in the "+" or in the "— " detector. If Al- 
ice has sent a state in S++ (S ), the detection in "— " 

("+") is conclusive: then, Alice tells Bob whether the 
bit is accepted or discarded. Obviously, no random bit is 
needed for such a sifting. 

The intuition based on incoherent attacks suggests that 
the two- and the four-sets protocols are equivalent: after 
all, Eve has to distinguish among the same four states be- 
fore sifting takes place; and after sifting, her knowledge 
is the same in both protocols. While this equivalence 
probably holds indeed, the lower bound computed with 
our method is slightly less favorable in the two-sets case. 
In fact, one finds after some algebra 



Ai 
A 2 
A 3 
A 4 



C($+| Po |<f + ) 

C[(*-\p \*-)+2( X -\po\x-)] 
C(x + \po\x + ) 

a [2<*-|po|*-> + <x"IpoIx->] 



(Bl) 



where |x ± ) = 75(1$") ± and C* = § with C 

defined in Eq. (9). Note that C is not the same as in 
(13); also, the structure of (13) would be recovered if 
we'd replace the states |% ) by the incoherent mixture 

The constraints imposed by (Bl) are less tight than 
those imposed by (13): actually, Ai and A3 are uncon- 
strained but for (12). For A2 and A4, it is easy to see 
that A 2 - 2A 4 = -3C , (*~|p | v I / ~) < and symmetrically 
A 4 - 2A 2 = -3(7(x~|po|x~) < 0, whence 



y < A 4 < min(2A 2 ,Q) . 



(B2) 



Using this constraint, the optimization of n gives a lower 
bound Q < 8.90% (Q < 7.74% if we'd have neglected 
preprocessing). Thus, the lower bound obtained for the 
two-sets protocol is worse than the one found for the orig- 
inal four-sets protocol. This is not a conclusive proof of 
inequivalence, in so far as we don't know whether each 
bound is tight. 



APPENDIX C 

The calculations leading to the expression of Eve's in- 
formation (27) plotted in Fig. 1 can be done analytically 
up to some extent. The three eigenvalues of Ma are 

2 A /D( 2 -3D) 



A± 



1+2D 



and Aq = 0, whence the natural 



labelling for the index e of the main text is 
ee{0,+,-}. 



In the basis where |00) = e\, 1 01) = e 2 and 1 10) = e 3 , 
and with a± = ~ — , the corresponding normal- 

ized eigenvectors are 



\m±) = 



a± 
1 



\m ) 



2 a ± 



1 



± 
D 



V2 - 3D 



VI - 2D 
VI - 2D 



One sees that the calculation is heavy, and since the func- 
tion (27) is not algebraic, ultimately one must make use 
of the computer; that is why these analytical results are 
of limited utility. Still, we can use them to obtain more 
insight on Helstrom's strategy. In fact, the general calcu- 
lation scheme described in the main text can be described 
as follows: 

• When Eve finds the positive eigenvalue A + , she 
guesses Alice's bit to be (see the definition of 
Ma); when she finds the negative eigenvalue A_, 
she guesses Alice's bit to be 1. These two cases 
appear with the same probability (pe=+ = Pe=-) 
and Eve's guess is correct with the same probability 

Pguess — PA=0\E=+ = PA=l\E=-- 

• With probability pe=o, Eve finds the eigenvalue 
Aq, from which she cannot draw any conclu- 
sion. Indeed, it is the case: (mo\MA\m n ) = 
implies (mo\p E =0 \mo) — (m |/o^ =1 |m ), whence 
Pe=o\a=o = Pe=o\a=i = Pe=o- Consequently, us- 
ing Bayes' rule (28), we find pa=o\e=o = \- 

Following these remarks, Eve's information (27) can be 
rewritten as: 



I{A : E) = (1 -p B=0 )(l - h{p guess )) . 



(C2) 



(CI) 



APPENDIX D 

In this Appendix we show how the five constraints (69)- 
(73) reduce to the three conditions (74)- (76), as claimed 
in IV C 3. 

Using the expression (43) for po(n), we can rewrite the 
first constraint (69) as 

Y,PB\E(n)(l-r,T^Y.P^ n )^-^ n ( D1 ) 

n n 

which is (74). By replacing the expression (46) forp^ cc (n) 
into (70), we find that this second constraint is satisfied 
by adding to (Dl) the condition 

Y,PB\ E {n){\ - 77/2)" = 5>*(n)(l - ry/2)" (D2) 
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which is (75). Finally, because of (54), the third con- 
straint (71) is automatically satisfied if the first two 
are. In summary, the first three constraints (69)-(71) 
are equivalent to the two conditions (74) and (75). 
Consider now constraint (72). From (44), we have 

p: cc (n,l)=p d (l-p d )(l-r,) n for all n, (D3) 

Pacci^V) = (1-^5+^(1,1), (D4) 

whence the l.h.s. of (72), up to the factor (1 — Pd), reads 

p A {l)pu(l)TlD+p d V B \ E ■?{!). 

Using again (44), the r.h.s. of (72), up to the factor 
(1 -Pd), reads 

5> B (») [(1 - Frf) n - (1 - r,) n ] + Pd V B - f (1) • 

n 

Since we have already imposed (74), equality of these two 
expressions is obtained if and only if (76) holds. 

Finally, we have to discuss (73). From (53) we note 
that p|(l,U) is actually independent of V because this 
parameter appears in the combination F + D = 1. In 
particular, p|(l,U) = p|(l, 1) whence the l.h.s. of (73) 
becomes 

1 - (1 - Pa)[l + Vb\e ■ f (1)] + (1 - p d ) 2 Vb\e ■ f (1) , 

which is entirely determined by (74) and is independent 
of V. However, the r.h.s. of (73) does depend on V. 
Consequently, for the strategies that we have considered, 
constraint (73) is automatically satisfied by (74) if V = 1 
and cannot be satisfied exactly if V < 1. In this last case 
however, the discrepancy is rather small. In fact 

pi(n, V) = pi(n, 1) + n V D(l - (1 - r?)"- 1 ) + O(^) 2 

and the leading term in the discrepancy will be the one 
associated to n = 2, that is 

p B \ E {2) |p|(2, V) - pi(2, 1)| w p B]E {2) 2 V 2 D . (D5) 

Specifically, for a Poissonian source the discrepancy is 
\C 2 Z (V)-Ci(l)\ i.e. using (55) 

\p(0\x) + 1] - \p(0\xF) + P (0\xD)] = FDx 2 + 0(x 3 ) 

with x = \itr\, consistent with (D5) using (81). Since 
typical values are r\ ~ 0.1 and D < 1%, this discrepancy 
is small. Thus, we can assume that (73) is satisfied as 
well, and we have proved that the constraints (69)-(73) 
reduce to (74)-(76) as claimed. 



APPENDIX E 

In this Appendix, we re-derive the results on the opti- 
mal parameters for Eve's attack that have been obtained 



by numerical optimization, see IV D 2. As we said there, 
we work in a more restricted setting, by neglecting the 
possibility of double counts: Eve forwards always one 
photon (if any) to Bob, that is s(m\n) = r{m\n) = <5 TOj i 
for all n. We also neglect Alice's preprocessing, which 
makes very minor modifications in the end (i.e., q = 0). 
However, we do not assume that Alice's source is Poisso- 
nian. 

We study the constraints first. Since Eve forwards only 
one photon to Bob, Pb\e{ u > 1) = and Pb\e{®) = 
1 ~ Pb\e(^)- Constraint (75) cannot be satisfied, but at 
long distance this is supposed to be a very small con- 
tribution. Constraint (74) reads Pb\e(1) = C where 
C = [Pb ■ r(l) — l]/r) depends only on parameters which 
are outside Eve's control; and 

Pb\e(1) =Pa(1)pv(1)+Pa(2)ps(2) 

+ ^2pA h ) Ps(n) +Pi(n)p ok {n) 

n>3 

The constraint (76) is of the formp A (l)pu(l) = (1/-D) C 
where C = Vb • [F(F) — T(l)]/r) depends only on param- 
eters which are outside Eve's control. Using these two 
constraints, we can express pa(1)pu(1) and pa(2) P s(2) 
as a function of the other parameters. The quantity that 
Eve must optimize (66) reads now 

I(A : E)=p A (l)p V (l)I V (D)£ + p A (2)p s (2)I s (l)^ 



+ ^2PA(n)[p s {n)I s (n - 1) + pi(n)p ok (n) £ = 

n>3 

= Z{CK{b) + J2PA(n) Ps (n)£(n) 

n>3 

+CI s (l) + Y J PA(n)p ok (n) (1 - J S (1)) } (El) 

n>3 

where we have defined £ = p acc (l, V),£ = p a cc(^, 1) and 

K(D) = l(il v (D)-I B (l)) (E2) 

£(n)=Js(n-l)-/s(l)-p„ fc (n)(l-J s (l)) (E3) 

In writing (El) we made explicit use of the constraints 
and of pi(n) = 1 — ps(n) for n > 3. The problem of 
finding Eve's best attack is thus reduced to the study of 
K(D) and of £(n) for all n. These functions are inde- 
pendent of the statistics PA(n) of Alice's source. 

The function K(D) depends only on one free param- 
eter, D, and is independent of the distance. Therefore, 
Eve will maximize her information by introducing always 
the same amount of error Do, the one which maximizes 
K(D). If we insert r\ = 0.1 and p d = 10~ 5 in £/£, the 
maximum is obtained for D ~ 0.191, which is exactly 
the value found by the numerical optimization. 

The study of the C{n) is just as easy. In fact, by us- 
ing the explicit expressions (57) for Is(n) and (58) for 
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Pok(n), one sees that £(3) ~ —0.054 while > for 

n > 4. Thence Eve's information (El) is maximized by 
the choice ps(3) = and ps(n > 4) = 1: Eve performs 
always the I attack when n = 3 and the S attack when 
n > 4. Again, this is exactly what has been found in the 
numerical optimization. 
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